IDS mailing list archives

Re: newbie quetsions

From: Mike Paquette <paquette () toplayer com>
Date: 10 Jan 2005 23:54:21 -0000

In-Reply-To: <41DD51DF.9080407 () immunitysec com>

Dave,

I've been following this thread for the last week or so.  As you may know, we like your CRI tool, and indeed we use it 
to test RPC handling and inspection in Top Layer's network IPS products.  I also appreciate many of your comments 
regarding the importance of the IDS/IPS properly handling IP fragments, TCP segments, and RPC fragments in order to 
defeat evasion attempts.

I'm not quite sure, however, why you're bashing the NSS IPS tests.  Your comments seem to be applying a very narrowly 
defined criterion as the basis for dismissing the entire NSS IPS test suite.  Specifically, I must take exception to 
your claim that "They largely test for things you don't care about, such as pushing packets down a wire."

As a vendor of IPS products, I can tell you that organizations planning to deploy network IPS technology are VERY 
interested in how well the IPS can push packets down the wire!  They all run businesses, and the packets being "pushed 
down their wire" are their lifeblood: payment transfers, sports bets, media delivery, internal application requests, 
etc.  In my experience, the ability of the IPS to handle legitimate traffic as a "good networking device" is often used 
as the *first* set of criteria in selecting an inline IPS product.  I've had many a customer who literally said that 
they didn't even want to *talk* about the protection mechanisms until we'd proven that our device could operate as a 
"good network citizen."

We've run our products through the NSS IPS tests, and I just can't agree with the rest of your comments:

"They're not open tests."


The NSS test methodologies are published in full.

"They're outdated."

 
The first IPS test was a year ago and the NSS methodology was brand new.  You're right that it's mostly the same this 
year, save for some new exploits, but I would not consider it outdated.  I don't know of a more recent or more 
comprehensive set of tests for a network IPS.

"They largely test for things you don't care about, such as pushing packets down a wire..."

 
My experience shows that organizations DO care about the things that NSS tests for: signature coverage, baseline 
performance, performance under load, latency, application response times, anti-evasion capabilities, stateful 
operation, management and configuration.  I already  mentioned my view about "pushing packets down the wire."
Bob Walder from NSS can chime in here, but my understanding is that the NSS signature coverage tests include many 
RPC-related exploits and their variants, run both "in the clear" and with various evasion techniques, including 
modified exploit code and RPC fragmentation.

"No scientific test should be non-repeatable"


We've been able to repeat the majority of the NSS tests consistently in our lab.  You might be talking about the fact 
that the capture files for the attack recognition tests are not publicized.  This topic was addressed in the thread 
regarding the Tipping Point Tomahawk tool already.  Clearly the set of "attacks" used is the result of work that NSS 
has performed, and I understand their desire to keep that proprietary.

"and no scientific test should require such large amounts of money to change hands."


Do you mean the test fees? The report fees? If so, why not? It's called "business."  Only by charging money can a test 
house spend the amount of time necessary to REALLY test advanced products like network IPS.  In fact, you might be able 
to use CRI to create your own mini-test, and charge IPS vendors to participate in it!  Or why not work with Walder 
directly to have him use CRI to enhance his evasion section of his test?

Mike Paquette
VP Technology,
Top Layer Networks, Inc.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

Re: newbie quetsions Jose Maria Lopez (Jan 03)
- <Possible follow-ups>
- Re: newbie quetsions Jason (Jan 06)
  - Re: newbie quetsions Dave Aitel (Jan 06)
    - Re: newbie quetsions (on how much Snort sucks) Martin Roesch (Jan 11)
    - Re: newbie quetsions (on how much Snort sucks) Dave Aitel (Jan 11)
    - Re: newbie quetsions (on how much Snort sucks) Martin Roesch (Jan 11)
- Re: newbie quetsions Mike Paquette (Jan 10)
  - RE: newbie quetsions Julius Detritus (Jan 12)
    - Re: newbie quetsions Rainer Duffner (Jan 17)
    - About IPS testing (was: newbie quetsions) Julius Detritus (Jan 19)
    - Re: About IPS testing Tod Beardsley (Jan 24)
- Re: newbie quetsions avi chesla (Jan 12)
- RE: newbie quetsions Scruggs Stephen D SSgt AFWA/SCHS (Jan 12)
  - Re: newbie quetsions Stefano Zanero (Jan 14)
- RE: newbie quetsions THolman (Jan 17)
- Re: newbie quetsions Jarvett Lin (Jan 17)